example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.

But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help_________________Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Enginesor use DogPile

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

Quote:

If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help

It seems that the basis of your agrument is that, since we are unaware of anyone using LHP getting attacked by this vulnerability (in java); we should not worry about it or be proactive.
A) We have no way of knowning if someone HAS been hit by this exploit or not, because not everyone who has Downloaded or used LHP is on this forum and actively reporting all their issues.
B) Even if we knew as an empirical fact that not a single user of LHP was hit by this exploit, it shouldnt matter. Just because something has not happened yet, does not mean that it wont.
Pretty much every security expert on the planet has said that certain programs which are known to be buggy should only be used when needed. This is, in fact, common sense. The same reason we dont have apache software running on our home computers. Yea it could give us some benefits for sharing files on our own local network, but the problems it introduces FAR outweigh the benefits.

Yes, Java can do some pretty cool stuff. But what benefit is a java music player? Is it better playing media files over a program coded in C or C++?
If we have a choice between two programs for playing music, one java and one C++ based. It makes more security sense to use the one that's not based on a horribly exploitable code platform. Unless the java based one offers some amazing feature that users simple cant live without... the cost/benefit analysis would tip in the favor of the non java based program.

This isnt about raising fear level. It's about educating people as to the potential risks involved in certain software packages. Fear Mongoring would be saying "NEVER USE JAVA OR YOUR COMPUTER WILL BE HACKED AND YOUR BANK ACCOUNT DRAINED!"
I dont think anyone who is speaking out about java being used is going to that extreme. We are simply saying (in my mind at least), know the risks you have, and use java only when its needed. Java does not need to be running or active on my machine when Im sleeping or out at the store shopping. For anyone to say, Java is great to use, use it all the time, and dont worry about the vast multitude of exploits for it; is doing nothing but promoting ignorance of the risk involved in using java.

Ignorance is NOT bliss. To argue that, since we dont know absolutely that there is a problem, we should act as if there isnt one; is silly. I'm not in any way advocating that we shouldnt use java at all. On the contrary, I have it on my system. But I install/uninstall it as I need it for certain programs. There is no benefit for me having it active when Im not useing it. All java does when not being used is introduce another attack vector into my system.

Thats why I keep Java and Flash as SFS files. I can load them when I need them, and unload them the rest of the time. A simple shell script coulld be written to load the SFS and activate the program I need, and then at program shutdown unload the SFS from memory. I havent done so because I dont consider it a hassle to mount/unmount the SFS if/when I need it.

Jasper wrote:

Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards

To start off I'll quote the mantra "Backup often, backup early"
Second, you should have your backups stored on removable media somewhere other than attached to your computer.
Malware that is set to "explode" can only work if its lying in memory waiting to initiate. If/When it does it can only affect any storage device attached to your computer. A backup harddrive in your drawer wont be touched. So... if you do get popped, you can reload and go.
One reason I use frugral installs is so I can backup my system (my safe file) as often as I want. If one gets corrupted all I need to do is reinstally my system and copy the backedup safe file to my computer and I'm back in business.

As for A/V malware protection for linux. There are some. I personally use ESET Nod32 for linux. But.... its not free. Ironic you asked this, becuase I was working on packaging up an AV program for LHP this weekend and coming week. I was going to package up ClamAV. I prefer Nod32 becuase of its heuristics that actively scan memory. I find that its far superior to other AV products at detecting unknown virii.
That being said though, AV product cant guarantee protection against application exploits. It may be able to detect some through scanning programs in memory and what changes they are attempting to make, but it cant promise much. Once an exploit is known, usually AV companies do add those definitions into their products.

Jasper wrote:

Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

Thank you very much for your help, but I am not totally clear and would appreciate clarification.

Say I collect a "tomorrow's time bomb" whilst on line now and I'm using sda1.

In another 30 minutes I do an incremental backup to my 2nd internal drive on sdb1.

It's the "in memory" bit that I don't entirely understand and ask whether I can always recover in this case.

My regards

Ok you get "tomorrow's time bomb" (TTB) using sda1. You backup to sdb1.
You disconnect sdb1 from your computer and put itin your drawer.
TTB on sdb1 cant do anything to the data on sdb1.
TTB is also sitting on sda1 which is on your computer.
But to run TTB needs to be in RAM.

TTB can only 'run' at the given time if its already excecuted and 'in memory' (RAM).
so when the TTB in ram hits the date it then activates. If its not in RAM and is just a file on your computer it cant do anything. The malware itself checks for the time stamp to run. If its dormant on your drive it cant check anything, since nothing will be telling TTB 'hey its the date, do stuff'

Malware works by lying in memory waiting to work. So lets say TTB is in ram... it'll delete your files on sda1 since thats plugged in. the files on sdb1 are ok, since they are disconnected.
You can re-install your system using your sdb1 backup, but you're re-installing TTB as well.
This is why you 'Backup Often'. that way you can go back and find a backup copy of your system BEFORE the infection took place.

Does that explain it to you more clearly?

I always recommend making a backup copy of your system immediately after you install everything. That way you know you have a good clean system as a backup.

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

My regards

Yes if today you got a TTB for Jan 1, 2013, every backup would include it.
However if you're careful you could still extract letters/pictures/etc out of that backup without restoring the malware in that backup.

You could still mount the backup safe file and copy "ONLY" the data you want. However you would want to double check that you didnt get anything extra by checking /initrd/pup_rw before you shut down.

Thanks guys for a truly scintillating debate - it's clear that while we won't all go down with any digital Titanic in the immediate future, it is comforting to know that there is a spectrum of choices we can make individually when deciding what level of prevention is better than putative cure.
That's really why I'm with Puppy - anyone here remember wasting a day of their life re-installing a Windows OS, updating all the aniti-virus, root-kits, trojans, firewalls (even if "free"ware - e.g., http://www.techsupportalert.com/pc/security-tools.html)? Sheesh - look at all those innovative ways that data can be modified and extracted without permission - bit like natural selection, and the advent of nasties like H1N1, Hendra, even permutations of the golden oldies of Avian and Spanish 'flu etc... Such a joy to now just replace a corrupted Puppy system quickly and easily with a backed-up save file...
My uni fell briefly to attack recently, although we haven't been fully informed of the details we were in shutdown with no off-campus, off-server exchanges permitted for a day while the system was purged (?) of the digital malaise. (It's a MS system, and supports only closed-source software at hideous expense for licensing.) It was an event that had a lot students commenting with the belief that Linux is more secure - I corrected them to the best of my knowledge, that it is certainly not a "closed system" and there are ways it can be potentially exploited. Great to see that active discussion here show that Puppy is ready to be ahead of the security curve, as/ if/ when the need arises. No wool pulled over the eyes of these sheepdogs..._________________What I get up to when I'm not on the Puppy Linux Murga forum:
http://scholar.google.com/citations?user=EMQxfgYAAAAJ

I do recommend running browsers as an unprivileged user, spot (which is the default with Lighthouse64 and Fatdog64.) If you aren't sure which you are running, click Menu -> Setup -> Choose Default Browser.

I'm not suggesting that it is unnecessary to keep JavaRE and Flash updated, rather that running as spot should minimize any security risks because spot cannot alter or remove files not owned by spot.

Also keep in mind that unless you're running multi-session, the LiveCD-R or DVD-R that you installed Lighthouse from is read-only, (and therefore not susceptible to malware for all practical purposes.) So booting from the LiveCD with puppy pfix=ram will give you a clean boot in case you need to restore a backup, access your data or, browse securely with no disk drives mounted.

Thanks for that info re Spot, TaZoC -
I use the FF add-on "Zotero" copiously for my research, but as I have a habit of installing the incorrect software and totally borking my save file, I now keep my zotero storage files on a separate partition. Resurrection and backup is now a total breeze. However I then ran into problems with not being able to download linked pdfs into the literature repository of my choice - Spot would only let me save to the Downloads directory (under spot), and this means tedious double-movement of files to where I needed them, later. But thanks for pointing out this solution - when I want to use Zotero with minimum hassle (? barring security risks) in LH, I should go to the non-spot FF. This is a better solution to the "Out, dammn'd spot" route I was contemplating, thank you!

Could I ask that you might think of organising the Desktop Settings menu a little clearer? Some applications are global, while others are WM-specific and I don't know which works with what. I find my personal preference for Openbox WM, but I don't like desktop icons except my drive/partition/mount points. So show/hide desktop icons prevents those drive icons appearing. Instead of my usual preference for wbar, I found "Panel" already provided for my favourite apps - but thats XFCE and while I spent a while trying to incorporate it with an autostart script*, had to keep loading it up from the menu on reboots. Eventually I struck on your LXPanel - literally under my nose the whole time - so have a panel2 working to my liking. In short - even though it might involve a 4th-order of menus, might you consider arranging the desktop settings within WM-specific sub-menus?
That, or perhaps some other solution, like being able to edit the startup /autostart script from within PupControl etc., so we might mix'n'match WM features?
Sorry I'm not making a lot of sense, perhaps - up to my neck in exam preparations,
Cheers!

* can't recall the correct term. The script that loads sven etc., on startup of a given WM.

http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html
Ironic since we've been having a discussion on Java exploits. Oracle has released yet another update for JRE. 7u9 was released to fix errors they introduced with their 7u7 update.
Gotta love systemic flaws which patching just creates more issues.
I think we're up to like 4 major java updates since August.

Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh? _________________Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Enginesor use DogPile

Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh?

I haven no problem discussing things in a security thread, however this discussion has been centered around security within LHP. I see no reason for LHP users to have to search for another thread to read/learn/discuss security issues with LHP. As long as the discussion centers around particular security issues and how they impact LHP or LHP users directly; I dont see why it cant be in this thread. I do agree that general security discussion can be held elsewhere, but from my time on this forum I've noticed that usually doesnt occur, since many of those threads arent followed as much as the individual pupplet threads. C'est la vie, Je suppose.

Also I dont really see this discussion as academic. JRE 7u7 has security flaws in it. JRE7u7 is the most recent available version for LHP users. And currently (until this post) there hasnt been an update available for it. So everyone using LHP, unless they've compiled it themselves, is vunlerable.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum